Try SpotterCreate and delete WAF Web ACLs
| "added in version" 1.5.0 of community.aws"
Authors: Markus Bergholz (@markuman)
Install with ansible-galaxy collection install community.aws:==5.1.0
collections:
- name: community.aws
version: 5.1.0Create, modify or delete AWS WAF v2 web ACLs (not for classic WAF).
See docs at U(https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html)
- name: Create test web acl
community.aws.wafv2_web_acl:
name: test05
description: hallo eins
scope: REGIONAL
default_action: Allow
sampled_requests: false
cloudwatch_metrics: true
metric_name: test05-acl-metric
rules:
- name: zwei
priority: 0
action:
block: {}
visibility_config:
sampled_requests_enabled: true
cloud_watch_metrics_enabled: true
metric_name: ddos
statement:
xss_match_statement:
field_to_match:
body: {}
text_transformations:
- type: NONE
priority: 0
- name: admin_protect
priority: 1
override_action:
none: {}
visibility_config:
sampled_requests_enabled: true
cloud_watch_metrics_enabled: true
metric_name: fsd
statement:
managed_rule_group_statement:
vendor_name: AWS
name: AWSManagedRulesAdminProtectionRuleSet
# AWS Managed Bad Input Rule Set
# but allow PROPFIND_METHOD used e.g. by webdav
- name: bad_input_protect_whitelist_webdav
priority: 2
override_action:
none: {}
visibility_config:
sampled_requests_enabled: true
cloud_watch_metrics_enabled: true
metric_name: bad_input_protect
statement:
managed_rule_group_statement:
vendor_name: AWS
name: AWSManagedRulesKnownBadInputsRuleSet
excluded_rules:
- name: PROPFIND_METHOD
# Rate Limit example. 1500 req/5min
# counted for two domains via or_statement. login.mydomain.tld and api.mydomain.tld
- name: rate_limit_example
priority: 3
action:
block: {}
visibility_config:
sampled_requests_enabled: true
cloud_watch_metrics_enabled: true
metric_name: mydomain-ratelimit
statement:
rate_based_statement:
limit: 1500
aggregate_key_type: IP
scope_down_statement:
or_statement:
statements:
- byte_match_statement:
search_string: login.mydomain.tld
positional_constraint: CONTAINS
field_to_match:
single_header:
name: host
text_transformations:
- type: LOWERCASE
priority: 0
- byte_match_dtatement:
search_string: api.mydomain.tld
positional_constraint: CONTAINS
field_to_match:
single_header:
name: host
text_transformations:
- type: LOWERCASE
priority: 0
purge_rules: true
tags:
A: B
C: D
state: present
- name: Create IP filtering web ACL
community.aws.wafv2_web_acl:
name: ip-filtering-traffic
description: ACL that filters web traffic based on rate limits and whitelists some IPs
scope: REGIONAL
default_action: Allow
sampled_requests: true
cloudwatch_metrics: true
metric_name: ip-filtering-traffic
rules:
- name: whitelist-own-IPs
priority: 0
action:
allow: {}
statement:
ip_set_reference_statement:
arn: 'arn:aws:wafv2:us-east-1:123456789012:regional/ipset/own-public-ips/1c4bdfc4-0f77-3b23-5222-123123123'
visibility_config:
sampled_requests_enabled: true
cloud_watch_metrics_enabled: true
metric_name: waf-acl-rule-whitelist-own-IPs
- name: rate-limit-per-IP
priority: 1
action:
block:
custom_response:
response_code: 429
custom_response_body_key: too_many_requests
statement:
rate_based_statement:
limit: 5000
aggregate_key_type: IP
visibility_config:
sampled_requests_enabled: true
cloud_watch_metrics_enabled: true
metric_name: waf-acl-rule-rate-limit-per-IP
purge_rules: true
custom_response_bodies:
too_many_requests:
content_type: APPLICATION_JSON
content: '{ message: "Your request has been blocked due to too many HTTP requests coming from your IP" }'
region: us-east-1
state: present
name:
description:
- The name of the web acl.
required: true
type: str
tags:
aliases:
- resource_tags
description:
- A dictionary representing the tags to be applied to the resource.
- If the I(tags) parameter is not set then tags will not be modified.
required: false
type: dict
rules:
description:
- The Rule statements used to identify the web requests that you want to allow, block,
or count.
- For a list of managed rules see U(https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html).
elements: dict
suboptions:
action:
description:
- Wether a rule is blocked, allowed or counted.
type: dict
name:
description:
- The name of the wafv2 rule
type: str
priority:
description:
- The rule priority
type: int
statement:
description:
- Rule configuration.
type: dict
visibility_config:
description:
- Visibility of single wafv2 rule.
type: dict
type: list
scope:
choices:
- CLOUDFRONT
- REGIONAL
description:
- Geographical scope of the web acl.
required: true
type: str
state:
choices:
- present
- absent
description:
- Whether the rule is present or absent.
required: true
type: str
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use.
- For global services such as IAM, Route53 and CloudFront, I(region) is ignored.
- The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used.
- See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region).
- The C(ec2_region) alias has been deprecated and will be removed in a release after
2024-12-01
- Support for the C(EC2_REGION) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
profile:
aliases:
- aws_profile
description:
- A named AWS profile to use for authentication.
- See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
- The C(AWS_PROFILE) environment variable may also be used.
- The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
and I(security_token) options.
type: str
access_key:
aliases:
- aws_access_key_id
- aws_access_key
- ec2_access_key
description:
- AWS access key ID.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables
may also be used in decreasing order of preference.
- The I(aws_access_key) and I(profile) options are mutually exclusive.
- The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the
AWS botocore SDK.
- The I(ec2_access_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
type: dict
purge_tags:
default: true
description:
- If I(purge_tags=true) and I(tags) is set, existing tags will be purged from the
resource to match exactly what is defined by I(tags) parameter.
- If the I(tags) parameter is not set then tags will not be modified, even if I(purge_tags=True).
- Tag keys beginning with C(aws:) are reserved by Amazon and can not be modified. As
such they will be ignored for the purposes of the I(purge_tags) parameter. See
the Amazon documentation for more information U(https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions).
required: false
type: bool
secret_key:
aliases:
- aws_secret_access_key
- aws_secret_key
- ec2_secret_key
description:
- AWS secret access key.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment
variables may also be used in decreasing order of preference.
- The I(secret_key) and I(profile) options are mutually exclusive.
- The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with
the AWS botocore SDK.
- The I(ec2_secret_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
description:
description:
- Description of wafv2 web acl.
type: str
metric_name:
description:
- Name of cloudwatch metrics.
- If not given and cloudwatch_metrics is enabled, the name of the web acl itself will
be taken.
type: str
purge_rules:
default: true
description:
- When set to C(no), keep the existing load balancer rules in place. Will modify and
add, but will not delete.
type: bool
endpoint_url:
aliases:
- ec2_url
- aws_endpoint_url
- s3_url
description:
- URL to connect to instead of the default AWS endpoints. While this can be used
to connection to other AWS-compatible services the amazon.aws and community.aws
collections are only tested against AWS.
- The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing
order of preference.
- The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in
a release after 2024-12-01.
- Support for the C(EC2_URL) environment variable has been deprecated and will be
removed in a release after 2024-12-01.
type: str
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- The C(AWS_CA_BUNDLE) environment variable may also be used.
type: path
session_token:
aliases:
- aws_session_token
- security_token
- aws_security_token
- access_token
description:
- AWS STS session token for use with temporary credentials.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment
variables may also be used in decreasing order of preference.
- The I(security_token) and I(profile) options are mutually exclusive.
- Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with
the parameter being renamed from I(security_token) to I(session_token) in release
6.0.0.
- The I(security_token), I(aws_security_token), and I(access_token) aliases have been
deprecated and will be removed in a release after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables
has been deprecated and will be removed in a release after 2024-12-01.
type: str
default_action:
choices:
- Block
- Allow
description:
- Default action of the wafv2 web acl.
type: str
validate_certs:
default: true
description:
- When set to C(false), SSL certificates will not be validated for communication with
the AWS APIs.
- Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider
setting I(aws_ca_bundle) instead.
type: bool
sampled_requests:
default: false
description:
- Whether to store a sample of the web requests, true or false.
type: bool
cloudwatch_metrics:
default: true
description:
- Enable cloudwatch metric for wafv2 web acl.
type: bool
custom_response_bodies:
description:
- A map of custom response keys and content bodies. Define response bodies here and
reference them in the rules by providing
- the key of the body dictionary element.
- Each element must have a unique dict key and in the dict two keys for I(content_type)
and I(content).
- Requires botocore >= 1.20.40
type: dict
version_added: 3.1.0
version_added_collection: community.aws
debug_botocore_endpoint_logs:
default: false
description:
- Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action")
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the C(aws_resource_action) callback to output to total list made
during a playbook.
- The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used.
type: bool
arn:
description: web acl arn
returned: Always, as long as the web acl exists
sample: arn:aws:wafv2:eu-central-1:123456789012:regional/webacl/test05/318c1ab9-fa74-4b3b-a974-f92e25106f61
type: str
capacity:
description: Current capacity of the web acl
returned: Always, as long as the web acl exists
sample: 140
type: int
custom_response_bodies:
description: Custom response body configurations to be used in rules
returned: Always, as long as the web acl exists
sample:
too_many_requests:
content: '{ message: "Your request has been blocked due to too many HTTP requests
coming from your IP" }'
content_type: APPLICATION_JSON
type: dict
default_action:
description: Default action of ACL
returned: Always, as long as the web acl exists
sample:
allow: {}
type: dict
description:
description: Description of the web acl
returned: Always, as long as the web acl exists
sample: Some web acl description
type: str
name:
description: Web acl name
returned: Always, as long as the web acl exists
sample: test02
type: str
rules:
description: Current rules of the web acl
returned: Always, as long as the web acl exists
sample:
- name: admin_protect
override_action:
none: {}
priority: 1
statement:
managed_rule_group_statement:
name: AWSManagedRulesAdminProtectionRuleSet
vendor_name: AWS
visibility_config:
cloud_watch_metrics_enabled: true
metric_name: admin_protect
sampled_requests_enabled: true
type: list
visibility_config:
description: Visibility config of the web acl
returned: Always, as long as the web acl exists
sample:
cloud_watch_metrics_enabled: true
metric_name: blub
sampled_requests_enabled: false
type: dict